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Motivation 


The  development  of  Cyber-Physical  Systems  (aircrafts,  cars,  trains, 
robots,  etc.)  increasingly  relies  on  many  types  of  analyses  from  different 
disciplines  for  assurance  purposes 

•  Control  stability,  scheduling,  logic,  thermal,  power,  aerodynamics,  etc. 


Large  CPS  are  integrated  out  of  components  developed  by  suppliers  that 
use  their  own  analysis  methods  and  make  their  own  assumptions 


Analysis  assumption  mismatches  are  discovered  late  in  the  system 
integration  phase 

•  Difficult  and  costly  to  solve 
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Boeing  787  Suppliers 


Mitsubishi 


Latecoere 


Source:  Boeing  /  Reuters 
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Analyses  Interactions 
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Scheduling  + 
Frequency 
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Thermal  Runaway  Analysis 
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Source:  National  Renewable  Energy  Laboratory 
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Analysis  Contracts 
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Analysis  Contract  Scheme 


Model 


Analysis  1 


Analysis  2 


— 

Contract  1  1 

Contract  2 

Domain  1 

Domain  2 
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Contract  Semantic  Basis 


Domain  {c/l,S,Jl,T,  [-J^) 

•  Sorts  cA  =  {A-^,A2,  e.g.  Booleans,  Integers,  Threads,  Priorities 

•  Static  Properties  :  S  =  Si\A^x---xAj^A^ 

—  Design-time  invariants.  Regular  operators:  (a,'B  x'B  ^  B) 

•  Runtime  Properties  :  Jl  =  [Ri],  Ri\A^x---xAji-^Aj^ 

—  Evolving  valuation  at  different  states  q:  q(/?i) 

•  Domain  execution  semantics:  T 

—  Infinite  sequence  of  assignments  to  runtime  properties  (executions) 

•  Domain  interpretation  of  sorts/static  properties: 

—  E.g.  allowed  schedulers,  some  left  uninterpreted 
Architectural  Model  Interpretation:  on  cA,S,T 

•  E.g.  threads  and  periods:  [7]^  =  12]]  IPerJ^  =  {ii  10.  h  20} 

Executions  of  system  defined  by  M: 

•  Combining  [-1^,  [-1^  into  [•] 

•  Each  state  q  in  possible  states  Q  maps  Ri  to  function  q(Ri):  lA^J  x  x  ^AjJ  lAjJ 

•  With  all  infinite  sequence  of  states 

•  mm  ^  Q" 
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Contract  Language 


Contract  formulas 

•  Given  domain  a  =  (A,  S,  "R,  T,  [-Ict), 

•  Jg.  ::=  V  Vi,  ■  (j)\3Vi,  ■  (j)\V  V-^,  ■  (j):^p\3Vi, 

—  Vi'.Ai,  (p:  static  (first  order)  formula 
—  xp  :  LTL  formula 
Contract  C  =  (1, 0,A,  G) 

•  I  ^  (A  u  S):  Sorts  and  properties  read  by  the  analysis 

•  0  c  u  <S):  Sorts  and  properties  written  by  the  analysis 

•  A  Q  T„\  assumptions:  must  be  true  in  input 

•  G  Q  guarantees:  must  be  true  in  output 
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Contract  Verification 


Given  model  M  and  set  of  analyses  JIM  =  {Arii}: 

•  For  Aril.  ^  0,  A,G)  application  to  Arii  iff 

—  \/  a  E  A  '  M  \=  a,  y  g  E  G  -  Ani(M)  1=  g 
Valid  analysis  ordering:  no  dependencies  from  later  analysis 

•  Contract  (&  analysis)  dependency:  d(Ci,  Cj):  Q.  ir^Gj.O  0 

Contract  Formulas 

•  First  order:  in  SMT  (Z3) 

•  LTL  :  Model  checker 

•  FOL  +  LTL:  Generate  all  solutions  for  FOL,  check  LTL  in  each 
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Example:  Surveillance  Aircraft 


Security:  Top  Secret  Security:  Secret 


Analysis 

Security:  tasks  of  different  level 
to  different  processor 

Scheduling:  meet  all  deadlines 


Processors 


( 

V 

( 

V 

c 

^eee 

Battery 


Freq.  Scaling:  minimize  power 

Logic:  no  deadlocks  or  race 
conditions 

Battery  scheduling:  meet 
battery  lifetime 

Battery  thermal:  no  runaways 
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Surveillance  Aircraft  Contracts 


Security  Analysis 

•  AUsec-C'-l  =  {T,ThSecCl},0  =  {NotColoc},A  =  0,G  =  [g] 

—  g-.y  ti,  t2  ■  ThSecCl{t])  ^  ThSecCl(t2)  =>  ti  G  NotColoc{t2) 

Multiprocessor  scheduling:  (Binpacking  +  scheduling) 

•  Arisched-C'-l  =  [T,C,NotColoc,Per,WCET,Dline],0  =  {CPUBind],A  =  0,G  =  {g} 

—  g-.y  t2  •  ti  G  NotColoc(t2)  =>  CPUBind^t^)  ^  CPUBind{t2) 

Frequency  Scaling 

•  Arifyeqsc-C'-l  —  {T,G,  GPU  Bind,  Dline],0  —  [GPUFreq},G  —  0,  A  =  {a} 

—  a:  yt^,  t2  ■  CPUBind{t^')  =  CPUBind(t2):  G {CanPrmpt{t^,  12)  Dline^t^)  <  Dline{t2') 

Model  checking  periodic  program  (REK): 

•  AUj-gi^.G-.I  —  [T,  G,  Per,  Dline.WGET,  GPU  Bind},  0  =  {ThSafe},G  —  0,  A  =  {ai,a2} 

•  Vt  •  Per{t)  —  Dline{t),  a2:  Vt^,  t2  •  G(Ganprmpt(ti,  t2)  =>  G  -iGanPrnipt(t2,  ti)) 

Thermal  runaway: 

•  Anii^e-rm-G'-l  =  [B ,  ButRows,  ButGols, Voltage},  0  =  {K},A  —  0,G  =  0 
Battery  Scheduling 

•  Anjjscfieq.G:  I  —  {B,BatRows,  BatGols},0  =  {BatGonnSchedPol,HasReqLifetime,SeriqlReq,ParalRea},A  —  0,G  — 

{g} 

•  g\  G(K(0}  X  TN(0)  +  K(l)  x  TN(1)  +  K(2)  x  TN(2)  +  K(3)  x  TN(3)  >  0) 
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Frequency  Scaling  Assumption 


a\Vti,t2  •  CPUBind(ti)  =  CPUBind(t2)'- G(CanPrmpt(ti,t2)  Dline(ti)  <  Dline(t2) 


DMS^RMS 


_ 

P=D 


D  P 


EDF^RMS 
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y 

Cells  w  3  neighbors  TN(3) 


Battery  Scheduling  Assumption 


g:  G(K(0)  x  TN(0)  +  K(l)  x  TN^l)  +  K(2)  x  TN(2)  +  K(3)  x  ™(3)  >  0) 
Ratio  of  cells  with  0,1 ,2,3  neighbors:  1  •  TN(1)  -  1  •  TN(2)  +  10  •  TN(3)  >0 


l-4-l-10  +  10-2  =  14>0 


oooo 


oooo 


1.2-1.14  +  10-0  =  -12  <  0 

OOOQ 


(DOO0 


eee 


OOOQ 


oooo 


Cells  w1  neighbors  TN(1) 


-  Cells  w  2  neighbors  TN(2) 

V _ 
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Analyses  Dependencies 
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Implementation 


Models  in  the  Architecture  Analysis  and  Design  Language  (AADL) 

•  Supports  multiple  analysis 

•  Supports  language  extensions  (subannexes) 

•  OSATE  Implementation 
Analysis  Contract  Annex 

•  Implement  contract  language 

•  Generates  model  interpretation 
Contract  formulas  verification 

•  First  Order  Logic  (Static):  SMT  /  Z3 

•  LTL  (Runtime):  Model  checking  /  SPIN 
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Contract  Verification  Architecture 
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First-Order  Logic  Verification  (Z3) 


(define-sort  thread  ()  (Int)) 

(define-sort  processor  ()  (Int)) 

(declare-fun  Actual_Processor_Binding  (thread)  Int) 

(define-fun  Not_Co  I  located  (x1  thread)  (x2  thread))  Bool 
(ite  (and  (=  x1  0)  (=  x2  1))  true  (ite  (and  (=  x1  0)(=  x2  2))  true 
(ite  (and  (=  x1  1)(=  x2  0))  true  (ite  (=x1  2)(=  x2  0))  true  false  ))))) 

(assert  (=  (Actual_Processor_Binding  0)  0)) 

(assert  (=  (Actual_Processor_Binding  1)1)) 

(assert  (=  (Actual_Processor_Binding  2)  1)) 

(assert  (not  (forall  ((x1  thread)  (x2  thread))  (=> 

(and  (or(=x1  0)  (=  x1  1)(=x1  2)) 

(or  (=  x2  0)  (=  x2  1  )(=  x2  2)) 

(=>  (and  (not  (=  x1  x2))  (Not_Collocated  x1  x2)) 

(not  (=  (Actual_Processor_Binding  x1)  (Actual_Processor_Binding  x2)))))) 
(check-sat) 
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Model  Checking  for  Scheduling 


Periodic  Tasks 

Multiple  Processors  Allows  Global  Scheduling 
Priority  Based  Scheduling 

•  Fixed-Task  Priorities:  fixed  at  configuration  time  (RMS  /  DMS) 

•  Dynamic-Task  (fixed  job):  changes  at  job  arrival  (EDF) 
Tickless  model 

•  Time  advances  by  scheduling  events 

—  Deterministically:  next  event  is  a  deterministic  arrival 
—  Non-deterministically:  multiple  possible  events 
Clock  variable  resets 

•  To  the  earliest  event  in  variables 
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Model  Checking  for  Battery  Scheduler 


Model  battery  cell  scheduler 

•  Schedules  cells  to  discharge,  charge,  rest 

•  Match  required  output  through  serial  connections  (efficient) 

•  Maximizes  battery  lifetime 
Matrix  of  battery  cells 

Connections  between  cells  change  dynamically 

•  Reflects  needs  to  provide  output  voltage  (serial  connections) 

•  at  certain  current  (parallel  connections) 

Cell  charge  changes  to  reflect  charge  discharge 
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Evaluation 


Real-Time  Scheduling 

Threads 

(R/D)MS 

Time 

EOF  Time 

3 

0.01 

0.01 

4 

0.01 

0.52 

5 

0.07 

33.4 

6 

0.37 

2290.0 

7 

2.18 

Out  Mem 

8 

12.4 

Out  Mem 

9 

71.2 

Out  Mem 

10 

421 

Out  Mem 

11 

Out  Mem 

Out  Mem 

Battery  Scheduling 


Cells 

FGURR 

FGWRR 

GPWRR 

9 

0.13 

0.15 

0.15 

12 

0.61 

2.34 

3.94 

16 

44 

31.4 

127 

20 

1060 

619 

Out  Mem 

25 

Out  Mem 

Out  Mem 

Out  Mem 

Time  in  seconds.  Amazon  EC2  virtual  Machine  with  8  cores  and  30  GB  of  mem. 
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Conclusions 


Analyses  are  key  for  development  of  CPS 

•  But  inconsistent  assumptions  may  compromise  results 
Analysis  contracts  to  automatically  verify  assumptions 

•  Analysis  contract  language  &  verification  framework 

•  Implementation  in  AADL  sub-annex 
Example 

•  Two  domains 

•  Five  analyses 

Analysis  contracts:  sound  and  scalable 

•  Single  multi-domain  analysis  intractable 
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